Do not use your password
Update: Republished on March 29 with FIDO’s response to Microsoft’s password deletion update and a major change to the company’s sign-in requirements.
All change for Microsoft. The company has suddenly confirmed a major update “for over 1 billion end users,” as the deletion of passwords for all users becomes real. Your Microsoft password, it warns, “could be easily forgotten or guessed by an attacker,” and it’s now time “to completely remove the password from your account.”
“The password era is ending,” Microsoft warned in December. “Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” With “7,000 attacks on passwords [blocked] per second… almost double from a year ago,” the company is on a mission to “convince a billion users to love passkeys.”
A passkey replaces password and two-factor authentication (2FA) codes with account authentication linked to your hardware devices or devices and secured by the same security that unlocks that device, most likely your fingerprint or your face. Unlike passwords, this means a passkey cannot leak or be stolen as it requires that physical hardware device. And unlike 2FA, it cannot be intercepted or bypassed.
This latest update is the next stage of that shift from passwords to passkeys. “By the end of April, most Microsoft account users will see updated sign in and sign-up user experience for web and mobile apps.” This has enabled the company “to rethink the default experiences for sign in, putting even greater emphasis on usability and security — our new UX is optimized for a passwordless and passkey-first experience.”
Microsoft explains that when signing up for a new account, just entering your email address will be enough. “You don’t have to create a new Microsoft password… All you need to do is verify the email with a one-time code, and this becomes the default credential for your new account, so you start off passwordless.”
Once signed in, users will then create their passkeys. “We’re also updating the Microsoft account sign in logic, so your passkey is the default sign in choice whenever possible, because passkeys are more secure and three times faster than passwords.”
Microsoft has been very clear as to why adding passkeys is not good enough if passwords remain on the account. “Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing.”
That’s why password deletion is the goal, and it’s becoming more critical with new AI-fueled attacks and successful 2FA compromises making weekly headlines. “Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials,” Microsoft says. “Millions of users have deleted their passwords.”
Goodbye password
“The FIDO Alliance has been laser focused on eliminating the world’s dependence on passwords for over a decade,” its CEO Andrew Shikiar told me. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts, who can now instead leverage user-friendly, phishing-resistant passkeys.”
Kudos to Microsoft for the clarity and simplicity of its messaging here. The adoption of passkeys is accelerating, with HYPR confirming this week that “phishing-resistant authentication, led by FIDO passkeys, is projected to become the most widely deployed authentication method within two years.” But there’s much more still to be done.
What we need now is the same password deletion clarity from all other major platform providers to ensure this shift is wholesale. Google, in contrast to Microsoft, talks about passwords remaining as a backup credential for account access. But per Microsoft’s warning, this leaves a vulnerability in place. This should be the year we see consistent advice on passkeys and the eradication of password and simple 2FA usage.
“I think it’s fair to say that most companies that deploy passkeys do so with the ultimate intent of password deletion.” Shikiar suggests. “Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”
FIDO’s data suggests that “passkey familiarity [is] growing” and growing quickly. “In the two years since passkeys were announced and made available for consumer use, passkey awareness has risen by 50% from the 39% who said they were familiar in 2022 to 57% in 2024.” And critically given password deletion plans now coming to the fore, “the majority of those familiar with passkeys are enabling the technology to sign in. Meanwhile, despite passwords remaining the most common way for account sign-in, usage overall has declined as alternatives rise in availability.”
It’s not all good news from Microsoft on the account front, though. As reported by Windows Central, the Windows-maker has also “confirmed that it’s removing a popular command line that allowed users to bypass connecting to the internet and signing into a Microsoft Account when setting up a new Windows 11 PC.”
This refers to “bypassnro,” that has allowed users to enter a command prompt during Windows Setup “to skip connecting to the internet, therefore bypassing the Microsoft Account requirement.” But not any longer — which won’t land well with affected users.
“We’re removing the bypassnro.cmd script from the build to enhance security and user experience of Windows 11,” Microsoft has just confirmed in a dev blog. “This change ensures that all users exit setup with internet connectivity and a Microsoft Account.”
